Crowdsourcing SecOps Through REN -ISAC - Internet2 .Crowdsourcing SecOps Through REN -ISAC . Kim

  • View
    214

  • Download
    0

Embed Size (px)

Text of Crowdsourcing SecOps Through REN -ISAC - Internet2 .Crowdsourcing SecOps Through REN -ISAC . Kim

  • Crowdsourcing SecOps Through REN-ISAC

    Kim Milford, REN-ISAC Executive Director

    Chris ODonnell, REN-ISAC Lead Security Engineer

  • [ 2 ]

    Crowdsourcing CyberSecurity Through REN-ISAC

    Origin Story Adventures in Crowdsourcing

    Collective Intelligence Framework and Security Event System

    Passive DNS

    Community Interchange

    CSIRT Activities

    HECVAT Other Community Opportunities

  • [ 3 ]

    Origin Story Use this slide to introduce ajor sectionsRemember to remove this tip

    before presenting!

    Ive spent more time in the past 18 months on cybersecurity than I did during the previous ten years.

    Dr. Brad Wheeler, Vice President for Information Technology, Indiana University

  • [ 4 ]

  • [ 5 ]

    VDBIR 2017: Education Sector

  • REN-ISAC

    Aid and promote cyber security operational protection and response within the higher education and research (R&E) communities.

    Provide a trusted community of representatives at member institutions, and in service to the R&E community at-large.

    Serve as the R&E trusted partner for served networks, the formal ISAC community, and in other commercial, governmental, and private security information sharing relationships.

  • The REN-ISAC CommunityREN-ISAC Membership, by Institution Type

    Type of Institution Nov. 2015 April 2017 GrowthUS College, Private for-profit 1 3 200.0%US College, Private not-for-profit 150 183 22.0%US College, Public 225 258 14.7%Medical Science / Medical Center 12 14 16.7%Non-Medical Department 2 2 0.0%Non-US College 29 35 20.7%Research Center 19 21 10.5%Network 8 10 25.0%Consortium / Univ. Administration 11 16 45.5%

    Partner 0 2 -

    Grand Total 457 544 19.0%

  • [ 8 ]

    The REN-ISAC Community

  • [ 9 ]

    Security Event System utilizing the Collective Intelligence Framework (CIF)

  • [ 10 ]

  • [ 11 ]

    SES/CIF Recent Collaborations 2016: University of Michigan integrated open source threat intelligence into

    existing infrastructure Source data from SES, honeypots, and other sources CIF as the threat repository Indicators fed into BIND, SpamAssassin, Bro, custom anti-phishing

    Chrome plugin Shared threat data with other institutions

    2017: NCSA integrated the current CIF and future CIF features into their Science DMZ Actionable Intelligence Appliance (SDAIA) project.

    .

  • [ 12 ]

    Evolution of CIF

    Monolithic to modular

    From HTTP/REST to P2P real time distribution

    Discovery service for peering

  • [ 13 ]

    NCSA CIF Collaboration: Whats Next

    Have a Honeynet that generates a fair amount of data

    Using/testing the P2P model

    The "smrt" parser from CIF is being used throughout the model

    Initially running over Internet2

  • [ 14 ]

    Collaboration Evolved

    CIF's design and modularity allows it integrate well with existing solutions

    As with the NCSA example, CIF (and by that extension smrt) makes it easier to get the data you want to share out to others

    Larger scale sharing with P2P

  • [ 15 ]

    Passive DNS

    REN-ISAC sets the gold standard for threat information sharing in the industry. Farsight Security is proud to help REN-ISAC protect its members from targeted attacks

    Dr. Paul Vixie, CEO and Cofounder, Farsight Security, Inc.

  • [ 16 ]

    What is passive DNS?

  • [ 17 ]

  • [ 18 ]

  • [ 19 ]

  • [ 20 ]

  • [ 21 ]

  • [ 22 ]

  • [ 23 ]

  • [ 24 ]

    Passive DNS Project - What and Why?

    Current in early stages of project; 4 active contributors; seeking additional

    Exchanging data for product access

    Contributing to Global Good

  • [ 25 ]

    Community Collaboration and Crowdsourcing

    The REN-ISAC is a force multiplier

    Anonymous REN-ISAC member representative

  • [ 26 ]

    List Topic 09/2017: Business Email Compromise (BEC)

    Individual indicators were shared

    Correlation by other members confirming if they saw similar emails, and shared further details

    REN-ISAC passes the info to those that can perform action

    Convert indicators to protections via SES

  • [ 27 ]

    List Topic 09/2017: Apache Struts

    Members were able to share details to allow faster responses

    Lots of details

    TL;DR - a lot of accurate operational data was shared in a concise format in a very timely manner

  • [ 28 ]

    Non-Emergency Sharing

    Logging practices and implementation

    Authentication strategies

    Patching and scanning practices

    Vendor and product info and experiences

  • [ 29 ]

    Other REN-ISAC Services

    Daily Watch

    Ops Briefs

    TechBursts

    Member Meetings

    SANS Training Discounts

  • [ 30 ]

    2017 CSIRT ActivityQ1 Q2 Q3 YTD

    YTD Q3 2016

    Credentials 1,483 3,559 1,096 6,138 1,056,092 Compromised Machines 14,376 16,261 17,600 48,237 54,443 Open Recursive DNS Resolvers 707 357 565 1,629 2,113 Spam or Phish 118 92 93 303 2,314 Open Mail Relays 39 37 30 106 114Other 70 28 14 112 51

    Total 24,907 17,777 14,351 15,357 2,270,137

  • [ 31 ]

    2017 CSIRT Activities

    1692

    923669

    378

    291

    258

    251227

    209181

    Sept 2017 Exploits

    WannaCry, 2017Conficker, 2008XcodeGhost, 2015Gozi, 2013Mirai, 2016Bedep, 2015Sality, 2003ZeroAccess, 2013Necurs, 2016Ramnit, 2015

  • [ 32 ]

    DDOS 2017

  • [ 33 ]

    Higher Education Cloud Vendor Assessment Tool (HECVAT)

  • [ 34 ]

  • [ 35 ]

    Crowdsourcing CyberSecurity Through REN-ISACResources and References

    www.REN-ISAC.net https://github.com/csirtgadgets/csirtg-smrt-py www.nist.gov/cyberframework www.verizonenterprise.com/verizon-insights-lab/dbir/2017/ www.farsightsecurity.com/ https://www.internet2.edu/news/detail/14254/ https://git.ncsa.illinois.edu/awithers/sdaia

  • Chris, ODonnell, REN-ISAC Lead Security Engineer

    Thank you!

    CROWD-SOURCING SECOPS THROUGH REN-ISAC

    Kim Milford, REN-ISAC Executive Director

    Crowdsourcing SecOps Through REN-ISAC Slide Number 2Origin StorySlide Number 4VDBIR 2017: Education SectorREN-ISACThe REN-ISAC CommunityThe REN-ISAC CommunitySecurity Event System utilizing the Collective Intelligence Framework (CIF)Slide Number 10SES/CIF Recent CollaborationsEvolution of CIFNCSA CIF Collaboration: Whats NextCollaboration EvolvedPassive DNSWhat is passive DNS?Slide Number 17Slide Number 18Slide Number 19Slide Number 20Slide Number 21Slide Number 22Slide Number 23Passive DNS Project - What and Why?Community Collaboration and CrowdsourcingList Topic 09/2017: Business Email Compromise (BEC)List Topic 09/2017: Apache StrutsNon-Emergency SharingOther REN-ISAC Services2017 CSIRT Activity2017 CSIRT ActivitiesDDOS 2017Higher Education Cloud Vendor Assessment Tool (HECVAT)Slide Number 34Slide Number 35Crowd-sourcing SecOPS through REN-isac